Date: Mon, 18 Dec 2017 16:41:28 -0600
From: Jeffrey Goldberg <jeffrey@...dmark.org>
To: passwords@...ts.openwall.com
Subject: Re: Authentication vs identification
On Dec 18, 2017, at 2:32 AM, e@...tmx.net wrote:
>> But consider:
>> The standard definitions that so many of us have given you
>
> have had led us into the mess where non-secret identifiers are commonly used as auth tokens, where the entire credit card system is thoroughly useless, and still is being used.
It is a terrible problem that so many institutions are using knowledge of non-secret identifiers as “proof” of authenticity, but I don’t see how this is a problem with definitions that we’ve all quoted at you.
Indeed, your definition would, to the extent that these matter to what people do in practice, further encourage the bad behavior. If you require someone to give you their birthdate, then that becomes authentication by your definition.
It is only by separating the *goals* of identification and authentication that we can talk about what sort of knowledge and information works well for those purposes. This is why I like the current definition that is based on intent. Your definition doesn’t give us any handle on why knowledge of non-secrets make for bad authentication tokens, while those same non-secrets may work well for identification.
Cheers,
-j
Download attachment "smime.p7s" of type "application/pkcs7-signature" (3367 bytes)